linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v2] libata: zpodd: Fix small read overflow in zpodd_get_mech_type()
@ 2019-07-29 21:47 Kees Cook
  2019-07-29 21:55 ` Jens Axboe
  0 siblings, 1 reply; 5+ messages in thread
From: Kees Cook @ 2019-07-29 21:47 UTC (permalink / raw)
  To: Jens Axboe
  Cc: Jeffrin Jose T, linux-kernel, Dan Carpenter, Nick Desaulniers,
	Steven Rostedt, Andy Shevchenko, Alexander Shishkin, tobin,
	Dmitry Vyukov, Alexander Potapenko, Tejun Heo

Jeffrin reported a KASAN issue:

  BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70
  Read of size 16 at addr ffffffff91f41f80 by task scsi_eh_1/149
  ...
  The buggy address belongs to the variable:                 
    cdb.48319+0x0/0x40                                        

Much like commit 18c9a99bce2a ("libata: zpodd: small read overflow in
eject_tray()"), this fixes a cdb[] buffer length, this time in
zpodd_get_mech_type():

We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be
ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.

Reported-by: Jeffrin Jose T <jeffrin@rajagiritech.edu.in>
Fixes: afe759511808c ("libata: identify and init ZPODD devices")
Link: https://lore.kernel.org/lkml/201907181423.E808958@keescook/
Tested-by: Jeffrin Jose T <jeffrin@rajagiritech.edu.in>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
v2: added reported/tested-by and direct to Jens
---
 drivers/ata/libata-zpodd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/ata/libata-zpodd.c b/drivers/ata/libata-zpodd.c
index 173e6f2dd9af..eefda51f97d3 100644
--- a/drivers/ata/libata-zpodd.c
+++ b/drivers/ata/libata-zpodd.c
@@ -56,7 +56,7 @@ static enum odd_mech_type zpodd_get_mech_type(struct ata_device *dev)
 	unsigned int ret;
 	struct rm_feature_desc *desc;
 	struct ata_taskfile tf;
-	static const char cdb[] = {  GPCMD_GET_CONFIGURATION,
+	static const char cdb[ATAPI_CDB_LEN] = {  GPCMD_GET_CONFIGURATION,
 			2,      /* only 1 feature descriptor requested */
 			0, 3,   /* 3, removable medium feature */
 			0, 0, 0,/* reserved */
-- 
2.17.1


-- 
Kees Cook

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH v2] libata: zpodd: Fix small read overflow in zpodd_get_mech_type()
  2019-07-29 21:47 [PATCH v2] libata: zpodd: Fix small read overflow in zpodd_get_mech_type() Kees Cook
@ 2019-07-29 21:55 ` Jens Axboe
  2019-07-29 21:58   ` Nick Desaulniers
  0 siblings, 1 reply; 5+ messages in thread
From: Jens Axboe @ 2019-07-29 21:55 UTC (permalink / raw)
  To: Kees Cook
  Cc: Jeffrin Jose T, linux-kernel, Dan Carpenter, Nick Desaulniers,
	Steven Rostedt, Andy Shevchenko, Alexander Shishkin, tobin,
	Dmitry Vyukov, Alexander Potapenko, Tejun Heo

On 7/29/19 3:47 PM, Kees Cook wrote:
> Jeffrin reported a KASAN issue:
> 
>    BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70
>    Read of size 16 at addr ffffffff91f41f80 by task scsi_eh_1/149
>    ...
>    The buggy address belongs to the variable:
>      cdb.48319+0x0/0x40
> 
> Much like commit 18c9a99bce2a ("libata: zpodd: small read overflow in
> eject_tray()"), this fixes a cdb[] buffer length, this time in
> zpodd_get_mech_type():
> 
> We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be
> ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.

Applied, thanks.

-- 
Jens Axboe


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v2] libata: zpodd: Fix small read overflow in zpodd_get_mech_type()
  2019-07-29 21:55 ` Jens Axboe
@ 2019-07-29 21:58   ` Nick Desaulniers
  2019-07-29 22:00     ` Jens Axboe
  0 siblings, 1 reply; 5+ messages in thread
From: Nick Desaulniers @ 2019-07-29 21:58 UTC (permalink / raw)
  To: Jens Axboe
  Cc: Kees Cook, Jeffrin Jose T, LKML, Dan Carpenter, Steven Rostedt,
	Andy Shevchenko, Alexander Shishkin, tobin, Dmitry Vyukov,
	Alexander Potapenko, Tejun Heo

On Mon, Jul 29, 2019 at 2:55 PM Jens Axboe <axboe@kernel.dk> wrote:
>
> On 7/29/19 3:47 PM, Kees Cook wrote:
> > Jeffrin reported a KASAN issue:
> >
> >    BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70
> >    Read of size 16 at addr ffffffff91f41f80 by task scsi_eh_1/149
> >    ...
> >    The buggy address belongs to the variable:
> >      cdb.48319+0x0/0x40
> >
> > Much like commit 18c9a99bce2a ("libata: zpodd: small read overflow in
> > eject_tray()"), this fixes a cdb[] buffer length, this time in
> > zpodd_get_mech_type():
> >
> > We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be
> > ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.
>
> Applied, thanks.

Dropped my reviewed by tag. :(
https://lkml.org/lkml/2019/7/22/865
-- 
Thanks,
~Nick Desaulniers

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v2] libata: zpodd: Fix small read overflow in zpodd_get_mech_type()
  2019-07-29 21:58   ` Nick Desaulniers
@ 2019-07-29 22:00     ` Jens Axboe
  2019-07-30  4:27       ` Kees Cook
  0 siblings, 1 reply; 5+ messages in thread
From: Jens Axboe @ 2019-07-29 22:00 UTC (permalink / raw)
  To: Nick Desaulniers
  Cc: Kees Cook, Jeffrin Jose T, LKML, Dan Carpenter, Steven Rostedt,
	Andy Shevchenko, Alexander Shishkin, tobin, Dmitry Vyukov,
	Alexander Potapenko, Tejun Heo

On 7/29/19 3:58 PM, Nick Desaulniers wrote:
> On Mon, Jul 29, 2019 at 2:55 PM Jens Axboe <axboe@kernel.dk> wrote:
>>
>> On 7/29/19 3:47 PM, Kees Cook wrote:
>>> Jeffrin reported a KASAN issue:
>>>
>>>     BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70
>>>     Read of size 16 at addr ffffffff91f41f80 by task scsi_eh_1/149
>>>     ...
>>>     The buggy address belongs to the variable:
>>>       cdb.48319+0x0/0x40
>>>
>>> Much like commit 18c9a99bce2a ("libata: zpodd: small read overflow in
>>> eject_tray()"), this fixes a cdb[] buffer length, this time in
>>> zpodd_get_mech_type():
>>>
>>> We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be
>>> ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.
>>
>> Applied, thanks.
> 
> Dropped my reviewed by tag. :(
> https://lkml.org/lkml/2019/7/22/865

I'll add it.

-- 
Jens Axboe


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v2] libata: zpodd: Fix small read overflow in zpodd_get_mech_type()
  2019-07-29 22:00     ` Jens Axboe
@ 2019-07-30  4:27       ` Kees Cook
  0 siblings, 0 replies; 5+ messages in thread
From: Kees Cook @ 2019-07-30  4:27 UTC (permalink / raw)
  To: Jens Axboe
  Cc: Nick Desaulniers, Jeffrin Jose T, LKML, Dan Carpenter,
	Steven Rostedt, Andy Shevchenko, Alexander Shishkin, tobin,
	Dmitry Vyukov, Alexander Potapenko, Tejun Heo

On Mon, Jul 29, 2019 at 04:00:08PM -0600, Jens Axboe wrote:
> On 7/29/19 3:58 PM, Nick Desaulniers wrote:
> > On Mon, Jul 29, 2019 at 2:55 PM Jens Axboe <axboe@kernel.dk> wrote:
> >>
> >> On 7/29/19 3:47 PM, Kees Cook wrote:
> >>> Jeffrin reported a KASAN issue:
> >>>
> >>>     BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70
> >>>     Read of size 16 at addr ffffffff91f41f80 by task scsi_eh_1/149
> >>>     ...
> >>>     The buggy address belongs to the variable:
> >>>       cdb.48319+0x0/0x40
> >>>
> >>> Much like commit 18c9a99bce2a ("libata: zpodd: small read overflow in
> >>> eject_tray()"), this fixes a cdb[] buffer length, this time in
> >>> zpodd_get_mech_type():
> >>>
> >>> We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be
> >>> ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.
> >>
> >> Applied, thanks.
> > 
> > Dropped my reviewed by tag. :(
> > https://lkml.org/lkml/2019/7/22/865

Argh, sorry!

> I'll add it.

Thanks! :)

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2019-07-30  4:27 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-29 21:47 [PATCH v2] libata: zpodd: Fix small read overflow in zpodd_get_mech_type() Kees Cook
2019-07-29 21:55 ` Jens Axboe
2019-07-29 21:58   ` Nick Desaulniers
2019-07-29 22:00     ` Jens Axboe
2019-07-30  4:27       ` Kees Cook

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).